A critical CISO responsibility is shaping the structure, operations and efficiency of their security organization and ensuring scalability and adaptability as the wider organization evolves. This includes a long list of decisions around hierarchical design, span of control, staff leveling, compensation, functional department creation, leadership appointments, reporting structures, degree of outsourcing and more.
Challenges are common for CISOs making org and staffing decisions for dynamic organizations influenced by market conditions, growth objectives, acquisition strategies and regulatory changes.
In this piece, we're highlighting findings from our 2024 Security Leadership and Org Benchmark Report around security org design across different revenue milestones to help CISOs make more informed decisions about hiring for key functional leadership roles.
This edition of the annual survey, jointly fielded with Artico Search featured objective data from over 800 CISOs on org design and compensation for seven—dedicated and full-time—security functional leader roles, one level down from the CISO.
Security Org Design Characteristics Across Three Revenue Segments
As organizations grow, their operations become more complex and involve a broader range of stakeholders. As a result, cybersecurity organizations must scale to protect against increasing risks and maintain security across the expanding business. That resulted in three distinct org designs, each with a corresponding annual revenue range, as laid out in Figure 1.
The correlation between the company’s revenue and the number of security staff is illustrated in Figure 1.
As staff numbers increase, the structure of the security organization also evolves. To illustrate this, we developed three security organizational models, using survey data from CISOs and their teams—a combined dataset of 1,349 respondents.
The analysis grouped respondents into three groups: ‘Fortune-sized organizations’, ‘large enterprises’ and ‘midsize organizations’. Each group includes entities from a wide range of industries and ownership types, including publicly listed companies, privately-held businesses, non-profit organizations and quasi-government institutions.
Security Leadership Team Structures at Key Growth Milestones
We examined how security leadership evolves as companies grow. For this analysis, we used the responses from 800 CISOs regarding the leadership roles in their organizations and whether those positions are filled. Specifically, we asked CISOs if they have dedicated leaders for the functions SecOps, GRC, A&E, AppSec, product security and IAM and whether they have a deputy CISO. If staffed, the CISOs also provided information on the organizational level of the person in the role.
Figure 16 presents a generic security leadership org chart at six different revenue milestones. For each milestone, the chart shows the approximate percentage of CISOs who have expanded their leadership teams to include the seven key cyber leadership roles. Moving from left to right, we see a clear trend of more cyber organizations adding dedicated leaders for these key functions as companies grow.
For key leadership roles with at least 25% staffing, we included an indicator for the most common organizational level of the role—from below-director to executive-level, based on survey data. For example, at the $5 billion milestone, most CISOs in the sample are at the VP-level, while their deputy CISOs typically hold director level positions. Functional heads, in turn, are usually directors or lower (such as manager, supervisor or team lead).
Security Org Design Recommendations
This set of security team blueprints offered insights into how CISOs align their security organization’s structure with the company’s size and complexity.
From these insights, the following best practices for this summary report emerge:
Prioritize security leadership talent development
Building a robust leadership pipeline is essential for long-term security success. This requires investing in professional development, mentorship and competitive compensation packages.
Continuously assess and optimize organizational design
The security landscape is evolving rapidly. To stay ahead, CISOs should regularly evaluate and adjust their security organizational structures. This ensures they remain agile, responsive and aligned with the latest threats and needs of the business.
Cultivate strong cross-functional relationships
As security becomes more integrated with business operations, the relationship between security leaders and business leaders becomes increasingly critical. Fostering strong stakeholder relationships and engaging business leaders in impactful risk conversations positions leaders to inform organizational governance without taking direct ownership of risk.
Research-backed data like this is not only helpful for CISOs to use it as input into their org design and hiring decisions but also in benchmarking how their security org structure compares to their industry peers.
CISO Compensation & Security Budget Benchmark Reports
Each year, IANS, in partnership with Artico Search, conducts a survey of CISOs across the U.S. and Canadas on CISO compensation, security budgets, key security staff compensation and job satisfaction.
The findings from this survey are published in a series of in-depth reports that feature new takeaways, uncover a wealth of insights and provide valuable leadership guidance to fine-tune your current role, budget, department and career path.
Download our 2024 Security Leadership and Org Benchmark Summary Report - the third in our 2024 series of reports – for additional insights and data for functional leaders within the security organization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.